Cascading Style Sheets (CSS) is a language used to describe the presentation of markup documents, usually written in HTML.
Questions tagged [css]
47 questions
38
votes
1 answer
CSS based attacks
I'm currently working on a plugin for a CMS which should allow content editors to write inline style tags.
I'm looking for advice / links on how inline styles could be abused.
Part of the reason for the plugin is to allow for a strict content…
symcbean
- 18,278
- 39
- 73
27
votes
1 answer
What is meant by "Vulnerable with: css class selector" for JQuery?
I'm mostly a beginner in cybersecurity. I came across this the other day about how JQuery 1.3.2 is vulnerable to CSS Selectors and Location Hash (source).
I understand how XSS works and I know what CSS selectors are. But I don't really understand…
Akhil
- 403
- 5
- 10
23
votes
3 answers
How dangerous is it to use CSS styles from an untrusted source?
I'm a moderator at a forum. We want to have a new style for the forum.
We're thinking about announcing a competition to the users to come up with the best CSS design; we would adopt the best submission.
How dangerous would this be? How dangerous is…
HSN
- 1,188
- 12
- 23
22
votes
2 answers
Does this CSS code expose if a message is read, and how long they have been reading it?
This email analytics company offers an 'engagement metric' that shows how much time someone spends looking at an email, whether the email is printed or deleted.
They also claim it works in pretty much all email clients, be it web, desktop or…
Cleber Goncalves
- 403
- 3
- 7
11
votes
1 answer
Should javascript and css ".map" source maps be included on production servers?
Source maps are a convenient way to work with directly with code that has been obfuscated and/or minified, yet trace errors back to the original "pretty" code.
My understanding is that obfuscating and minifying code generally does not do anything…
Robert
- 607
- 5
- 13
9
votes
2 answers
Personal stylesheets
In reference to this question, I was researching whether or not there would be any security risks in letting users add their own stylesheets.
He brings up a scenario in which a dev might use positions to replace the search and password field. If…
Meghan
- 191
- 4
8
votes
3 answers
Can CSS file contain malware?
I know that javascript files can contain malware. However, I am not so sure about CSS files. They only affect how the page is displayed, right? I know that css files can be used for clickjacking but I cannot imagine how they can be used to infect…
Pervy Sage
- 467
- 2
- 6
- 13
7
votes
1 answer
Is it safe to allow CSS filter: url(data:
We have a web service where logged in users can create web page content and write custom CSS for their pages. All the HTML goes through a whitelist parser and doesn't allow any executable content. All the CSS is put through a whitelist parser that…
Mikko Rantalainen
- 513
- 2
- 11
6
votes
2 answers
XSS - arbitrary file in background-image css property
Is it possible to make an XSS attack if you can inject an arbitrary file (any extension, like: .js, .html etc...) in background-image CSS property? If yes, how to do it?
Bob
- 63
- 1
- 4
5
votes
3 answers
CAPTCHAs: How does simple math in cleartext prove you're human?
I'm intrigued that many sites use seemingly random numbers with a random operator as a security check to validate that you're not a bot. Forgive my ignorance in captcha technology, but what is stopping the bot from pulling the simple math problem…
mattshu
- 53
- 1
- 3
5
votes
1 answer
What's the security risk of using a protocol-relative URL in a CSS stylesheet?
I used SonarQube to perform a static code analysis of my project and it detected a security vulnerability in one of my CSS files:
For security reasons, protocol-relative URLs should not be used.
Noncompliant Code Example
@font-face {
src:…
Benoit Esnard
- 13,942
- 7
- 65
- 65
5
votes
1 answer
Why should class names be whitelisted?
I am using the Accept known good validation strategy to sanitize user input (rich HTML) and are using a 3rd party component to do this.
The component by default requires every permitted class name to explicitly listed, but also has a checkbox to…
Free Radical
- 734
- 5
- 14
5
votes
1 answer
Browser exploits based purely on HTML + CSS
In 2011, Eli Fox-Epstein demonstrated a Rule 110 machine in HTML + CSS3.
This led some to say that the combination of HTML + CSS3 is Turing complete.
Regardless of whether HTML + CSS3 is technically Turing complete, do any known exploits (in the…
sampablokuper
- 1,961
- 1
- 19
- 33
4
votes
1 answer
Calling JavaScript functions from within a Style tag XSS
I've identified an XSS in a client's application where they've failed to properly sanitize a variable. The application, however, is written in ASP.NET 2.x and they have request validation turned on.
I'm aware of the below string, which will bypass…
Jingo
- 151
- 1
- 5
4
votes
2 answers
To What Extent does an Attacker Have Access to the Browser History through the CSS Pseudoclass :visited Styles?
I have read this article on how a scripted web page is able to obtain the visited history of a user browsing the page. However, I can't find any clear information in the article describing the extent of who or what can access the user's browser…
gate_engineer